Ch. 8 Case Study : A Stolen Laptop at the Department of Veterans Affairs: The Worst Data Theft Ever?

1) There were numerous security weaknesses at the Department of Veterans Affairs. The VA inspector general reported to Congress that his office had been concerned with the department’s security controls since 2001. The operating system, password system, and detection alerts were all vulnerable to security breaches. Centralized management of all IT programs and activities was paramount. Decentralized management was deep rooted in the agency, making it resistant to change. Such “cultural impediments” were some reasons why central management of IT at the departmental level or a strong information security program was not instated earlier. The VA CIO and the chief information security officer needed to have greater authority to enforce security policies and mandates. The VA needed to consolidate the two IT domains to centralize IT programs and activities completely. The VA should not have given employees authorization to take home a laptop and work from home. Employees were able to use at home special software designed to manipulate large amounts of data, and to access social security numbers of millions of veterans. Data was not classified or encrypted. The VA should also install extra security systems around their data systems so they are not stolen as easily.

3) The VA did not effectively deal with these problems. Their response to the data crisis was extremely poor. The VA primarily stated that it could find no evidence suggesting that the stolen data had been used illegally. The department did not report the incident to law enforcement until two weeks after it found out about it. This might have inhibited the FBI’s ability to perform a thorough investigation and solve the case. Even Jim Nicholson, Secretary of Veterans Affairs, did not learn about the theft until 13 days after it occurred. This is completely unacceptable. Nicholson and the appropriate authorities should have been informed of the theft the moment the first person found out about the theft. The VA tried to ignore their problems at first instead of adequately dealing with and reconciling them. The VA did not increase their precautions enough so that people’s information would never be compromised again. In fact, another VA computer was stolen from someone that the VA outsourced their computer work to. This is a shame, because the VA should have learned to protect their computer and information the first time.

4) To prevent these problems, I have many suggestions. The VA must encrypt its information. It must also increase access control. Access control consists of all the policies and procedures a company uses to prevent improper access to systems by unauthorized insiders and outsiders. The user must be authorized and authenticated in order to gain access. New authentication technologies, such as tokens, smart cards, and biometric authentication, overcome some of these problems. A token proves the identity of a single user. A smart card contains a chip formatted with access permission and other data. Biometric authentication uses systems that read and individual characteristics.